Balbix, the leader in cybersecurity posture automation, announced new platform capabilities for software bill of materials (SBOM). Cybersecurity teams now have real-time visibility into software components used across the enterprise – including traditional data centers, the cloud and remote employee devices. The solution does not require access to application source code and includes accurate multi-level dependency mapping and installed locations. Enterprises can identify and remediate software component vulnerabilities, such as Log4j, in hours and days instead of months. In addition, users can export SBOM inventory data in industry-standard formats to inform other tools and workflows.
The need for an SBOM inventory arises because modern software applications usually include dozens of open-source and 3rd-party components. These supply chain dependencies lead to vulnerabilities that are hard to identify and remediate. Recent vulnerabilities – Log4j, Spring4Shell and OpenSSL – are prime examples. The importance of an SBOM inventory is highlighted in U.S. Executive Order 14028, which mandates anyone selling software to the federal government to provide SBOMs. Unfortunately, traditional cybersecurity and asset management tools cannot inventory software component versions. When a Log4j-type vulnerability shows up, cybersecurity teams struggle to identify vulnerability instances and perform the necessary remediation and mitigation actions.
“Since late 2021, our customers have requested assistance to mitigate software component vulnerabilities like Log4j. We were fortunate to have our SBOM solution under development and were able to help our customers address these issues in a matter of days,” said Gaurav Banga, Founder and CEO of Balbix. “Today, I am excited to announce the general availability of a broad set of SBOM capabilities in the Balbix platform.”
In an industry first, Balbix provides a software bill of materials (SBOM) at runtime, including all nested dependencies. The inventory includes component versions, open-source and third-party packages. To do so, Balbix analyses all installed software, their dependencies and run-time services to provide a near real-time, comprehensive and accurate dependency tree. This new capability builds on the continuously updated software and asset inventory already provided by Balbix for assets on-premises or in the cloud.
The Balbix platform also combines SBOM data with CVE data and additional service information to infer software component vulnerabilities and mitigation status with high accuracy and without the need to scan. Cybersecurity teams can automatically identify, prioritize and respond to software component vulnerabilities across their entire environment as they would other software vulnerabilities.
“Software component vulnerabilities are on the rise, and organizations have struggled to discover and remediate such issues quickly,” said Ed Amoroso, CEO at analyst firm TAG Cyber. “Balbix now automates much of that work, drastically reducing the time needed to identify and resolve complex vulnerabilities at scale.”
Unlike other cyber asset attack surface management (CAASM) solution providers, Balbix also allows security teams to export their SBOM inventories in industry-standard formats, including Open Web Application Security Project (OWASP), Cyclone DX, and Software Package Data Exchange (SPDX). IT and security teams can export their SBOM inventory to popular configuration management database (CMDB) tools.
To learn more about Balbix and its SBOM capabilities, visit https://www.balbix.com.
Balbix enables businesses to reduce cyber risk by quickly identifying and mitigating their riskiest cybersecurity issues. Our SaaS platform, the Balbix Security Cloud™, ingests data from businesses’ security and IT tools so they can understand every aspect of their cybersecurity posture, build a unified cyber risk model and obtain actionable insights for risk reduction. With Balbix, businesses can automate their cloud and on-premise asset inventory, conduct continuous risk-based vulnerability management and quantify cyber risk in dollars. Executives and operational teams can make cybersecurity decisions based on data, not opinions.
A rapidly growing set of Fortune 500 companies trust Balbix as the “brain” of their infosec programs and are realizing the benefits of maximally automated workflows and reduced cyber risk. Balbix was recognized in CNBC’s 2022 list of Top 25 Startups for the Enterprise and ranked #32 on the 2021 Deloitte Fast 500 North America.